Deployment Architecture

Universal forwarder and WMI

Explorer

I have a question about how to get a universal forwarder to send the data I would normally recieve from WMI. I am trying to get remote performace monitoring from the universal forwarders. I currently have 3 servers with universal forwarders installed on them and one indexer. After the initial install I can't seem to change any setting with the universal forwarders. Should I add the servers to the event log collection with WMI? And if i were to do that would the data be sent through the Universal Forwarders? All of the servers are Windows based.

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

You can copy the wmi.conf file from the Windows App to UF's etc/system/local, then you'll get more WMI performance events, such as WMI: CPUTime, WMI: Memory, etc.

Splunk Employee
Splunk Employee

one more thing: inputs.conf and wmi.conf will both pull Windows Event logs with two different sourcetypes, you might want to diable one of them to avoid duplicated events. The Windows app dashboard uses input from inputs.conf, so I suggest to disable the inputs from wmi.conf, events with sourcetypes: [WMI:LocalApplication], [WMI:LocalSystem], [WMI:LocalSecurity]

0 Karma

Explorer

Thanks, that worked perfectly.

0 Karma

Motivator

Are you getting any data at all from the UF to the indexer?

If so are you trying to use deployment server to send configuration for WMI to UF

If you just want to setup WMI on just the three UF systems and they are already sending logs then just setup a WMI.CONF file in the etc/system/local directory the WMI.conf file will tell the UF what to collect.

Use this type of stanza in the WMI.conf file

[WMI:CPUTime]

interval = 5

disabled = 0

server = localhost

wql = SELECT PercentProcessorTime, PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name = "_Total"

Motivator

Sure anything I can do to help.

Post a queston if you have something specifice you need help with.

0 Karma

Path Finder

would love to get some help with this from you hartfoml if you wouldnt mind.

0 Karma

Explorer

Thanks for the help!

0 Karma

Motivator

Send me an email if you need anything else. I have set this exact thing up in my environment and am very familiar. Glad to help if I can.

0 Karma

Explorer

Yeah I am recieving data from the UF just not everything I'm wanting.
By the end of the year we will be using Splunk to monitor over 300 servers so we are just testing and configuring right now.

I will give that a try.

Thank you,

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!